It has been nearly a month since the European Court of Justice ruled that the transfer of personal data, including hosting in the United States (US) is no longer permitted on the basis of the Privacy Shield. In the so-called Schrems II-case, the Court ruled that the Privacy Shield does not offer sufficient guarantees against data collection by the US intelligence agencies and mass surveillance. For the same reason, concluding the Standard Contractual Clauses (SCCs) is not necessarily sufficient either. What are the consequences for data centers? In any case, the physical location and access from abroad will become a lot more important.
What is a Privacy Shield and why is it broken?
Where personal data is processed, the General Data Protection Regulation (GDPR) applies. ‘Processing’ covers almost everything you can do with personal data, including hosting and storing. When European organizations choose a supplier outside the European Economic Area (EEA), additional safeguards must be in place to create the same level of protection as the GDPR establishes. A safeguard may be that the European Commission has designated the country as ‘adequate’, that the SCCs drawn up by the European Commission have been concluded, that binding corporate rules are in place, or that a deviation from Article 49 applies (such as consent of the person concerned).
The Privacy Shield was a form of ‘adequacy’ for the US. This allowed American organizations to demonstrate through self-certification that they had taken extra steps to guarantee the data protection of European data. The Court ruled that this was not enough. Despite these extra steps, the US security and intelligence services can demand access to the data, and the systems can be subject to mass surveillance.
This is precisely why the SCCs are in question as well. The SCCs remain valid as a mechanism, but only if the legislation in the ‘receiving’ country does not affect the level of protection that the SCCs establish. And US law does affect this. The Court thus places more responsibility on organizations: do you use the SCCs? In that case, you should also investigate the legislation in the receiving country.
What are the consequences for colocation?
The judgment is still early, but the European Data Protection Board (EDPB, the alliance of European privacy supervisory authorities) is merciless: there is no transition period and if you continue to use American suppliers, you must report this to your supervisory authority. For the Netherlands, this is the Dutch Autoriteit Persoonsgegevens.
With these new rules, the physical location of data has become a lot more important: a data center in the US is no longer a natural option for European organizations. The demand for European data centers will increase as a result. Because the term ‘processing’ is broader than just storing data on a server, possible access to data also becomes more important. For European organizations with an American parent company, we expect that they will receive more and more requests from customers to ensure that the data is actually physically stored in Europe and that there is no access from the American entity. Encryption, for example, is an option to achieve this. In case there is access from the US, the customer will have to conduct due diligence, and as a data center or hosting provider you will have to be able to offer extra guarantees to prevent access by the US government and mass surveillance.